Dick, > On Sep 16, 2025, at 6:53 AM, Dick Hardt <[email protected]> wrote: > > A motivation of the 2.1 spec is that an AS or client would declare they are > compliant with 2.1 and not have a piecemeal set of features. IE there is a > bar for compliance and an AS or client does not cherry pick the ones they > like. > > I might be wrong, but features that drive security are not optional -- and > that is a key driver of 2.1 compliance.
One of the most frustrating things for me as a developer WRT OAuth is that interoperability and discoverability have never been a high priority. RFC 8414 went a long way towards solving the discoverability problem and it looks like OAuth 2.1 will help for interop. OIDC obviously has made some different choices but (for now at least) it is possible to write an OAuth client that also works with OIDC Authorization Servers. The remaining pain point is with client registration - dynamic client registration remains optional for both OAuth 2.1 and OIDC, which means it is impossible to write an OAuth client that doesn't require support for manually entering a client ID and secret for a given AS. This is bad UX and ultimately bad security. ________________________ Michael Sweet _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
